I checked that there are no firewall issues.
On the universal forwarder in splunkd.log:
07-15-2013 13:09:50.264 -0700 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997
07-15-2013 13:09:52.395 -0700 INFO BatchReader - Removed from queue file='/opt/splunkforwarder/var/log/splunk/metrics.log.1'.
07-15-2013 13:09:52.636 -0700 INFO WatchedFile - Will begin reading at offset=4575529 for file=
On splunk server in splunkd.log
07-15-2013 14:36:05.672 -0400 INFO BatchReader - Removed from queue file
I am not sure why I dont see logs in indexer. Not sure what I might be missing?
Here are the files:
sourcetype = syslog
index = syslog
disabled = false
disabled = false
forwardedindex.0.whitelist = .*
forwardedindex.1.whitelist = _.*
Do you have anything defined as part of inputs on your forwarder? You can verify by doing:
$SPLUNK_HOME/bin/splunk list monitor
If you want the internal logs forwarded in, you may have to explicitly allow them in through outputs.conf configuration:
[tcpout] defaultGroup = GroupName disabled = false # Forward the internal indexes as well as the non-internal ones forwardedindex.0.whitelist = .* forwardedindex.1.whitelist = _.*
Yes I have defined stanza in inputs.conf file. Even after adding your configuration in output.conf file I still dont the logs coming in. Just not sure why?
Did you set up your indexer to listen for incoming data, on the port you've defined in outputs.conf? Should be able to use the following command to see:
$SPLUNK_HOME/bin/splunk display listen
So you only have one tcpout configured on your UF? have you defined an index called syslog on your Indexer? On your indexer do you see any within your metrics.log regarding data being sent from your UF? Is this the only input defined on your UF?
So you only have one tcpout configured on your UF?
have you defined an index called syslog on your Indexer?
On your indexer do you see any within your metrics.log regarding data being sent from your UF?
Sometime it shows and then its gone.
Is this the only input defined on your UF?
If you are defining index = syslog for your input on your UF you need to have a index called syslog on your indexer.